| Anonymous | Login | 2024-04-20 04:37 EDT |  |
| Main | My View | View Issues | Change Log | Roadmap |
| View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | |||||||
| ID | Project | Category | View Status | Date Submitted | Last Update | |||
| 0001293 | PacketFence | security | public | 2011-10-03 11:42 | 2011-10-24 20:17 | |||
| Reporter | mattd | |||||||
| Assigned To | obilodeau | |||||||
| Priority | normal | Severity | major | Reproducibility | always | |||
| Status | closed | Resolution | fixed | |||||
| Platform | OS | OS Version | ||||||
| Product Version | devel | |||||||
| Target Version | 3.0.2 | Fixed in Version | 3.0.2 | |||||
| Summary | 0001293: Issues with LDAP-based authentication in web administration interface (login.php) | |||||||
| Description | There are two issues with LDAP-based authentication in the web administration interface (in script html/admin/login.php), which may allow an attacker access under certain system setups: The user-supplied username is not escaped before being interpolated into the LDAP search filter used for authentication, leading to weaker security. For example, a username with a "*" character could be used to perform a substring- or presence-based match on the username LDAP attribute, instead of equality-based. This could help an attacker use a valid username without needing to know of one beforehand. The user-supplied password is not checked to see if it is nonempty; the isset function used in check_password will still return true on an empty password. This leads to the ability to perform unauthenticated binds (if they are enabled on the LDAP server), allowing an attacker to 'authenticate' into the web administration interface without needing a valid password. | |||||||
| Tags | No tags attached. | |||||||
| fixed in git revision | ||||||||
| fixed in mtn revision | 040493ea147330b41fd2b19d1c3cc1cf8c8d6929 | |||||||
| Attached Files |  security-fix-1293-ldap-anonymous-bind.patch [^] (939 bytes) 2011-10-12 11:00 [Show Content]
security-fix-1293-ldap-injection.patch [^] (799 bytes) 2011-10-12 15:01 [Show Content]
security-fix-1293-anonymous-bind-pf19.patch [^] (1,777 bytes) 2011-10-24 11:27 [Show Content]
| |||||||
 Relationships |
 Notes |
|
|
(0002337) obilodeau (reporter) 2011-10-12 14:31 |
Fixed the auth bypass with empty password. The patch is a simpler version of the real fix, since I wanted error reporting not to break layout. I feel very bad about this one, especially since we knew about the possibility and thought we were defended against it. Turns out we misinterpreted this: "If bind_rdn and bind_password are not specified, an anonymous bind is attempted." from http://www.php.net/manual/en/function.ldap-bind.php [^] By thinking that if we were passing an empty string this would could as being specified. Yes! I am blaming it on the manual! ;) This first fix is committed in revno: d0aba756a3e8ff9002c0dd9be1885ea6d38ea0ff |
|
(0002338) obilodeau (reporter) 2011-10-12 15:07 |
Fixed LDAP injection issue. Applying strict rules on what type of usernames are allowed. Fix will be released in 3.0.2 shortly. Those you can't wait or who won't upgrade in a timely fashion should apply the attached patch. It should apply cleanly on 2.2.0+. Patches for earlier versions can be provided on request. |
|
(0002364) obilodeau (reporter) 2011-10-17 10:39 |
LDAP Authentication bypass has been assigned CVE-2011-4068. LDAP Injection has been assigned CVE-2011-4069. |
|
(0002377) obilodeau (reporter) 2011-10-24 13:08 |
Additional change *not* in the attached patch but in upcoming 3.0.2: allowing dot (.) in username. Just change regexp to:
if(preg_match("/^[\@a-zA-Z0-9_\:\,\(\)\.]+$/", $input) && strlen($input) <= 15){
|
|
(0002385) obilodeau (reporter) 2011-10-24 20:15 |
fix released in 3.0.2 |
|
Notes |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2011-10-03 11:42 | mattd | New Issue | |
| 2011-10-06 11:46 | obilodeau | Status | new => assigned |
| 2011-10-06 11:46 | obilodeau | Assigned To | => obilodeau |
| 2011-10-12 11:00 | obilodeau | File Added: security-fix-1293-ldap-anonymous-bind.patch | |
| 2011-10-12 14:31 | obilodeau | Note Added: 0002337 | |
| 2011-10-12 15:01 | obilodeau | File Added: security-fix-1293-ldap-injection.patch | |
| 2011-10-12 15:07 | obilodeau | mtn revision | => 040493ea147330b41fd2b19d1c3cc1cf8c8d6929 |
| 2011-10-12 15:07 | obilodeau | Note Added: 0002338 | |
| 2011-10-12 15:07 | obilodeau | Status | assigned => resolved |
| 2011-10-12 15:07 | obilodeau | Fixed in Version | => +1 |
| 2011-10-12 15:07 | obilodeau | Resolution | open => fixed |
| 2011-10-12 15:07 | obilodeau | Relationship added | related to 0001209 |
| 2011-10-17 10:39 | obilodeau | Note Added: 0002364 | |
| 2011-10-24 11:27 | dwuelfrath | File Added: security-fix-1293-anonymous-bind-pf19.patch | |
| 2011-10-24 13:08 | obilodeau | Note Added: 0002377 | |
| 2011-10-24 16:45 | obilodeau | View Status | private => public |
| 2011-10-24 20:15 | obilodeau | Target Version | => 3.0.2 |
| 2011-10-24 20:15 | obilodeau | Note Added: 0002385 | |
| 2011-10-24 20:16 | obilodeau | Status | resolved => closed |
| 2011-10-24 20:17 | obilodeau | Fixed in Version | +1 => 3.0.2 |
|
Issue History |
| Copyright © 2000 - 2012 MantisBT Group |
 |